03-28-2012 11:59 PM - edited 03-11-2019 03:48 PM
Hi Team,
we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.
firewall# show conn count
1900000 in use, 2000008 most used
As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.
when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..
local host: <172.x.x.x>,
TCP flow count/limit = 35857/unlimited
TCP embryonic count to host = 25
UDP flow count/limit = 0/unlimited
local host: <DC01>,
TCP flow count/limit = 306/unlimited
TCP embryonic count to host = 8
UDP flow count/limit = 736807/unlimited
local host: <DC02>,
TCP flow count/limit = 246/unlimited
TCP embryonic count to host = 2
UDP flow count/limit = 582010/unlimited
local host: <172.y.y.y>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
UDP flow count/limit = 308412/unlimited
These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ??
04-07-2012 08:57 AM
Hi Rajesh,
Both TCP and UDP connections should be counted.
-Mike
04-10-2012 12:07 AM
Hi Mike,
Could you pls help in identifying the geniune connections ? is there any combination of flags or something to be executed in show conn command in order to identify the fake or unwanted connections...is there any way to proceed further?
04-16-2012 11:39 PM
any help ?????
04-17-2012 12:00 AM
Hi,
I have had to deal with a similiar problem only 2-3 times. And it was always a "contaminated" computer/server.
In the latest case a single server in an environment with ASA5540 was pushing so many connections that it reached the maximum connections for that ASA model (400 000)
First I would start checking what connections are beeing formed from the host that you listed above. I guess you should usually see some sort of well known port used for any service thats needed. Might also help if there was someone there that knows exactly what connections your servers etc. are supposed to handle.
How many hosts are there in your network?
What has been the normal trend with the connection count before you ran into this problem?
How did you notice this problem? Connections werent being formed through the ASA?
What have you done so far regarding this problem?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide